Skills
skills/gannonh/kata-orchestrator/kata-research-phase/Gen Agent Trust Hub

kata-research-phase

Fail

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs shell operations in its process steps that use the $ARGUMENTS variable without adequate sanitization. Specifically, in Step 1 of SKILL.md, if the input does not match a numeric pattern, the raw string is assigned to the PHASE variable. This variable is subsequently interpolated into double-quoted shell commands such as grep -A5 "Phase ${PHASE}:" .planning/ROADMAP.md. An attacker can use shell expansion syntax (e.g., $(command)) within the argument to execute arbitrary code on the host system.
  • [COMMAND_EXECUTION]: The subagent instructions in references/phase-research-instructions.md also contain shell command templates (e.g., git add, find, cat) that expand variables derived from potentially untrusted project file names and phase inputs, creating multiple opportunities for command injection or unauthorized file access.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. The research agent is explicitly instructed in references/phase-research-instructions.md that information found in *-CONTEXT.md files represents 'locked choices' that 'MUST constrain' its research and behavior. If an attacker or a malicious process can write to these planning files, they can effectively hijack the subagent's instructions to perform unauthorized actions or exfiltrate data via the provided web tools.
  • Ingestion points: The subagent reads content from .planning/phases/*/*-CONTEXT.md and other planning documents.
  • Boundary markers: The instructions use XML-style tags (e.g., <context>) to delineate some fields, but the ingested file content is interpolated into the prompt without escaping or 'ignore embedded instructions' warnings.
  • Capability inventory: The subagent has access to shell commands (find, cat, git), web searching (mcp__web_search), and documentation fetching (mcp__context7, WebFetch).
  • Sanitization: No sanitization or validation of the ingested file content is performed before it is treated as a binding constraint for the agent's logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 10, 2026, 11:59 AM